Randy Lee FireEye Labs. Understanding Modern Malware.

Transcription

1 Randy Lee FireEye Labs Understanding Modern Malware.

2 History Of Malware Creeper Virus - Experimental self replicating worm Rabbit - The Fork Bomb 1974 Pervading Animal - First Trojan Elk Cloner - Storage Vulnerability 1981 Brain - Boot sector virus Morris Worm - Buffer Overrun 1988 Chameleon - Polymorphic virus Michelangelo Leandro & Kelly OneHalf Concept Ply CIH Happy 99 Melissa ExploreZip Kak Worm ILOVEYOU Anna Kournikova Sadmind Worm Sircam Code Red Code Red II Nimda Klez Simile Virus Beast Mylife Optix Pro SQL Slammer Graybird ProRat Blaster Welchia Sobig Sober Agobot Bolgimo Bagle L10n MyDoom Netsky Witty Sasser Cabir Torpig Koobface W32.Dozer Stuxnet Kenzero The list goes on

3 APT The New Threat Landscape Cyber-espionage and Cybercrime Coordinated Persistent Threat Actors Dynamic, Polymorphic Malware Damage of Attacks Disruption Cybercrime Spyware/ Bots Advanced Persistent Threats Zero-day Targeted Attacks Dynamic Trojans Stealth Bots New Threat Landscape Worms Viruses Multi-Vector Attacks Multi-Staged Attacks

4 Cyber Attacks Percent of Deployments Incidents/Week at Normalized Bandwidth 100% 90% 80% 70% 60% 50% 40% 30% 20% 10% 98.5% of deployments see at least 10 incidents*/week/gbps 20% of deployments have thousands of incidents*/week Average is about 221 incidents*/week 1 Gbps 0% ,000 10, ,000 Source: FireEye Advanced Threat Report, March, 2013 * Incidents include inbound and outbound activity

5 Old Model Everywhere The New Breed of Attacks Evade Signature-Based Defenses IPS Anti-Spam Gateways Firewalls /NGFWs Secure Web Gateways Desktop AV

6 Multiple Stages of a Next Generation Attack 1. Exploitation of System Exploit Server Server 2. Malware Executable Download NGFW 3. s and Control Established File Share 2 IPS 4. Data Exfiltration 5. Malware Spreads Laterally File Share 1 Exploit Detection is Critical All Subsequent Stages can be Hidden or Obfuscated

7 What is an exploit? Compromised webpage with exploit object Exploit object can be in ANY web page An exploit is NOT the same as the malware executable file! 1. Exploit object rendered by vulnerable software 2. Exploit injects code into running program memory 3. Control transfers to exploit code

8 Structure of a multi-flow APT attack Exploit Server Embedded Exploit Alters Endpoint

9 Structure of a multi-flow APT attack Exploit Server Server Embedded Exploit Alters Endpoint

10 Structure of a multi-flow APT attack Exploit Server Server Encrypted Malware Embedded Exploit Alters Endpoint Encrypted malware downloads

11 Structure of a multi-flow APT attack Exploit Server Server Encrypted Malware Command and Control Server Embedded Exploit Alters Endpoint Encrypted malware downloads and data exfiltration

12 Structure of a multi-flow APT attack Exploit Server Server Encrypted malware Command and Control Server Embedded Exploit Alters Endpoint Encrypted malware downloads and data exfiltration

13 Multi-Flow Structure of APT Attacks (Aurora, Beebus, CFR, etc.) Exploit injects code in Web browser Exploit in compromised Web page Encrypted Malware Command and Control Server Exploit code downloads encrypted malware (not SSL!) Exploit code decrypts malware Target end point connects to C&C server

14 Multi-Vector Structure Weaponized attachment with zero-day exploit with weaponized document, opened by user, causing exploit Weaponized (2011 Recruitment Plan.xls) Server Backdoor C&C Server Client endpoint calls back to infection server Backdoor DLL dropped Encrypted callback over HTTP to command and control server

15 Multi-Vector Analysis of RSA Attack 2 1 SMTP Weaponized (2011 Recruitment Plan.xls) Backdoor 3 Backdoor 1 /Web with weaponized malware 2 User opens attachment causing exploit 3 Backdoor DLL dropped 4 Encrypted callback over HTTP to C&C 4 Encrypted callback Multi-vectored attack C&C Server

16 Multi-Vector Analysis of Operation Beebus Attack Defense Industry UAV/UAS Backdoor Manufacturers Aerospace Industry 1 /Web with weaponized malware 2 Backdoor DLL dropped on user opening 3 Encrypted callback over HTTP to C&C 1 SMTP / HTTP 2 3 Multi-vectored attack update.exe Weaponized UKNOWN (RHT_SalaryGuide_2012.pdf) RHT_SalaryGuide_2012.pdf install_flash_player.tmp2 Conflict-Minerals-Overview-for-KPMG.doc dodd-frank-conflict-minerals.doc update.exe Boeing_Current_Market_Outlook_ pdf Understand your blood test report.pdf RHT_SalaryGuide_2012.pdf sensor environments.doc Backdoor FY2013_Budget_Request.doc Dept of Defense FY12 Boeing.pdf April is the Cruelest Month.pdf National Human Rights China.pdf Encrypted callback C&C Server: worldnews.alldownloads.ftpserver.biz Security Predictions 2013.pdf rundll32.exe UKNOWN сообщить.doc install_flash_player.ex install_flash_player.tmp2 Global_A&D_outlook_2012.pdf Apr 2011 Sept 2011 Dec 2011 Feb 2012 Mar 2012 Apr 2012 May 2012 Jul 2012 Aug 2012 Sept 2012 Nov 2012 Jan 2013 Timeline of attack multiple vectors, multiple campaigns

17 Security. Re-imagined. Questions?